Mac users often believe in the false narrative that their computers are invulnerable to malware. While Mac systems were rarely targeted in the past, this is not how things stand nowadays, definitely. The number of cyber crooks that have been developing and releasing Mac-specific malware has been increasing over the years. Among the newest significant OSX threats is the EvilOSX. The EvilOSX malware is a RAT (Remote Access Trojan), and its source code is available online freely. Like with many other threats that have been released online, its creators state that the EvilOSX RAT should not be used for harmful purposes even though this hacking tool may have been created for malevolent operations specifically. The authors of the EvilOSX RAT are releasing updates for this threat that improve its capabilities.
So far, the EvilOSX RAT has not been utilized in many campaigns. However, despite this, the EvilOSX threat has great capabilities to cause a lot of damage. Having in mind that its authors are keeping the EvilOSX RAT as an open-source project means that other cyber crooks can take advantage of the code and expand it potentially. Also, the regular updates released by the creators of the EvilOSX RAT mean that they have not abandoned the project and are likely to utilize it in a mass-scale operation eventually.
The EvilOSX RAT has a rather long list of capabilities, which include:
- Downloading files from the compromised system.
- Uploading files to the compromised system.
- Collecting iCloud contacts list.
- Collecting saved Google Chrome login credentials.
- Showing backup files and data.
- Exploiting vulnerabilities in outdated OSX versions that would allow the attackers to gain root permissions.
- Spawning a fake login prompt designed to trick the user into providing the attackers with their iCloud password.
- Opening a reverse shell that would allow the attackers to execute remote commands on the infected host.
The new version of EvilOSX comes bundled with a self-update module, allowing it to update to new versions as they are released. This isn’t something that you should let sit on your system. The good news is the risk of infection is still low, especially for people who keep their antivirus software up to date.
Table of Contents
How Does EvilOSX Get on Computers?
EvilOSX works as a Remote Access Tool (RAT) that is likely to get on computers through simple means, like a coworker pulling a mean prank. The virus is open-source, and anyone can freely download it. This accessibility is what makes the virus so widespread. EvilOSX has yet to be packaged alongside other malware and used as part of a broad attack. Someone would need physical access to your computer to install the virus, so you shouldn’t worry too much about infections.
Where Does EvilOSX Install?
The launch agent – called com.apple.EvilOSX.plist – is installed in ~/Library/LaunchAgents~. The actual RAT hides inside the hidden “.EvilOSX” folder in ~/Library/Containers. EvilOSX relies on these two components. The installation script for the virus is deleted automatically when the virus installs.
It is at this point that your antivirus program should warn you about the potential installation. The risk of actually being infected is small for those that have antivirus protection and pay attention to alerts. The author of the malware claims that it is undetectable by antivirus, but many programs have proven them wrong.
Should you be Concerned About EvilOSX?
There are currently no malware programs that use EvilOSX for their payload, but that doesn’t mean infected users aren’t at risk. The good news is that the virus can only get on your system through someone putting it on there physically, or through a victim being tricked by smart social engineering tactics.
The virus is a cause for concern for those who haven’t properly secured their Mac. EvilOSX can install in about 10 seconds and doesn’t need an administrator password to run like some other programs. Anyone who has access to the computer could install EvilOSX on it in a matter of seconds. Just having a password on the screensaver could be enough to keep people out of your Mac when you step away from your computer for a minute.
How to Prevent EvilOSX Infection
Keeping to standard security basics should be enough to keep your Mac safe from an EvilOSX infection. Make sure that you have a screensaver password on your Mac and that it is properly locked down, only download and install files from trusted sources, and keep a robust antivirus program installed. If you do all that, it’s unlikely you’ll have a run-in with EvilOSX or any other malware for that matter.
Don’t forget that EvilOSX disappeared for nearly a year before making a sudden re-emergence. There’s no telling when a cybersecurity threat might appear. If you want to not become a victim to the EvilOSX RAT, you should consider obtaining a reputable anti-virus solution that is compatible with your OSX.